Sometimes you have to make sacrifices; often I wish I could place IT professionals at large Banks on a sodding Altar and cut their balls off. Anyway. In some rare horrible occasions, you need to force the type of SSL/TLS used for an upstream. You do that as follows. upstream shittyserver { server 8.8.8.8:443; } server { listen 443; server_name dodgyproxy.com; access_log /var/log/nginx/access.log; error_log /var/log/…